---
layout: docs
page_title: 'nomad tls ca create command reference'
description: |
  The `nomad tls ca create` command creates a certificate authority that you then use to create a self-signed certificate for Nomad Transport Layer Security (TLS) configuration.
---

# `nomad tls ca create` command reference

Create is used to create a self signed Certificate Authority to be used for
Nomad TLS setup.

## Usage

```plaintext
nomad tls ca create [options]
```

## Options

- `-additional-domain=<value>`: Add name constraints for the CA. The server will
  reject certificates for DNS names other than those specified in `-domain` and
  `-additional-domain`. Can be used multiple times. This option can only used in
  combination with `-domain` and `-name-constraint`.

- `-common-name`: Common Name of CA. Defaults to Nomad Agent CA.

- `-country`: Country of the CA. Defaults to "US".

- `-days=<int>`: Provide number of days the CA is valid for from now on,
  defaults to 5 years.

- `-domain=<string>`: Domain of nomad cluster. Only used in combination with
  `-name-constraint`. Defaults to `nomad`.

- `-locality`: Locality of the CA. Defaults to "San Francisco".

- `-name-constraint`: Add name constraints for the CA. Results in rejecting
  certificates for other DNS than specified. If set to true, "localhost" and
  `-domain` will be added to the allowed DNS. Defaults to false.

~> **Warning:** If `-name-constraint` is enabled and you intend to serve the
  Nomad web UI over HTTPS its DNS must be added with `additional-domain`. It is
  not possible to add that after the fact.

- `-organization`: Organization of the CA. Defaults to "HashiCorp Inc.".

- `-organizational-unit`: Organizational Unit of the CA. Defaults to "Nomad".

- `-postal-code`: Postal Code of the CA. Defaults to "94105".

- `-province`: Province of the CA. Defaults to "CA".

- `-street-address`: Street Address of the CA. Defaults to "101 Second Street".

## Example

Create CA:

```shell-session
$ nomad tls ca create
==> CA Certificate saved to: nomad-agent-ca.pem
==> CA Certificate key saved to: nomad-agent-ca-key.pem
```

Create a CA with a specified domain:

```shell-session
$ nomad tls ca create -name-constraint="true" -domain="foo.com"
==> CA Certificate saved to: foo.com-agent-ca.pem
==> CA Certificate key saved to: foo.com-agent-ca-key.pem
```
